VLAN WIRELESS

I've been setting to configure an AIRONET 1300 with two VLANS with authentication but I can not, can you suggest a configuratio.

I hope this link helps - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml

Tags: Cisco Wireless

Similar Questions

Assign different VLAN wireless authentication

Dear Stephen,

I want this product fits the following situation?

The user will use their laptop to assign the internet by the following situtaion.

1. they will go to a web portal to choose their internet service provider and connecting to services.

2. once they got successful connection, they can use their PC to access the internet.

What I think is that they will have access to a vlan public web portal, once they got the authentication. Their links will assign to differnet vlan (different service provider). Eventually they get the IP address of the DHCP server on MS and go to the internet.

I can't find a solution for above situation, can you help me?

I suggest that you go for the Cisco unified wireless solution. More information about the Cisco solution unified are available at http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns337/networking_solutions_package.html

For your scenario, I suggest that you create two VLANS. One for guest users and the other for internal users. An example configuration that is available at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008070ba8f.shtml

Questions of VLAN and configuration for Cisco AIR-CT2504-25-K9 Controller

Hello

It's my first time thanks to the Cisco wireless solutions, so I was hopping someone could help me with the following:

We just bought the AIR-CT2504-25-K9 controller with some points of access for the AIR-CAP1702I-E-K9.

The network is as follows:

Peripheral layer 3 (managed by third parties): it's on the domain network. (VLAN by default, 1 - unidentified)

ADSL router - it's the network without comment thread. (Default Vlan 4 - tagged).

VOIP: VLAN 5.

Both fittings go into a switch Cisco SG500 52 (Layer 2). There is a port to shared resources on the switch SG500 with VLAN 1 (Tagged) and VLAN 4 (with tag). The WLAN controller is plugged into this port trunking.

The data and management network are in the same subnet and on the same VLAN (1).

I used the wizard on the controller setup.

There are three interfaces:

management VLAN ID 1 IP 192.168.1.2 Port 1 (configured with a gateway domain network, DHCP, etc.).

VLAN wireless identifier 4 IP 192.168.5.1 Port 1 comments (configured with modem router ADSL, DHCP, etc.).

Virtual IP 192.0.2.1

Proxy DHCP active overall.

There are two wlan networks:

(1) area - management Interface - SSID abc.

(2) comments - comments Wireless Interface - SSID xyz (the wizard put to management, but I changed it to the wireless).

Are the AP connected to another SG500 switch which is shared resources to the switch with the controller.

Ports of the APs are connected to have only 1 VLAN unidentified. They don't have 4 VLAN Tag or not identified. However, everything seems to work as expected.

When I join the guest network (SSID xyz), I get an IP address from the router ADSL and all Internet traffic goes through him. When I connect to the domain network (SSID abc), I get an IP address from the DHCP in Windows Server and all traffic goes through the device of layer 3 (I checked the public IP address in my browser). I can't ping anything from one network to the other.

My questions are the following:

(1) how the guest network traffic (VLAN 4) headed the APs controller when they are connected to the ports on VLAN1? Is it because the traffic is encapsulated?

(2) is set up correctly? After you configure the controller, I saw a note in the forums, this State I can simply enter 0 for the management of VLANS to let it not identified. However, in my case, I kept it as 1, which is the same as the switches and then the tag VLAN on the switch. In addition, the set Wizard wlan of comments to use the management interface but I changed it to use the comments interface.

(3) when I connect to the APs of the controller, I see several options that can be configured manually. Is it necessary for this? For example, there is an option of data encryption.

Thank you

A

Hello

(1) how the guest network traffic (VLAN 4) headed the APs controller when they are connected to the ports on VLAN1? Is it because the traffic is encapsulated?

Yes, I'm with CAPWAP:

More information: http://lets-start-to-learn.blogspot.de/2014/08/cisco-wireless-understand...

(2) is set up correctly? After you configure the controller, I saw a note in the forums, this State I can simply enter 0 for the management of VLANS to let it not identified. However, in my case, I kept it as 1, which is the same as the switches and then the tag VLAN on the switch. In addition, the set Wizard wlan of comments to use the management interface but I changed it to use the comments interface.

If you want that mgmt interface must be unmarked and then put 0 otherwise you can use vlan 1.

I do not have what is configured under mgmt and comments interface, but according to the name I'll say yes, you must set the comments under comments wlan interface.

(3) when I connect to the APs of the controller, I see several options that can be configured manually. Is it necessary for this? For example, there is an option of data encryption.

Yes, there are many things that you can configure, but I'll leave most of the default of things unless you really need to change!

The following best practices: http://www.borderlessccie.net/?p=270

Concerning

Remember messages useful rates

Cisco SG500 and VLAN

OK so here is what I try to accomplish with 3 switch Cisco SG500-52. I created 4 VLANS on a SG500 I call my central office switch and it is set in routing mode. My VLAN is thus 400 (Infrastructure ESXI hosts, firewall, etc.), 401 (VoIP), 402 (users) and 403 (wireless). I have configured interfaces and the delivery without problem for me through my subnets and the communities of remote access through 3 offices.

Where I'm not sure is on the SG500 I set as a L2 switch and my ESXi host are connected (I have 10 ports on one VLAN remote iSCSI traffic) is that I have to create VLAN 400 and mark those ports not marked? So should I use 1-2 ports and set them as ports and tag to my main switch 400?

In the affirmative on the main switch I create junction ports and mark for the VLAN on the switch that could access the L2 switch? Is this also the case for the other SG500 I have who are all devices for 402 VLAN?

I'm overloading it?

Thanks in advance for any help.

Hi Sdonnelly2,

For vlan 402 and 400 on the uplink to your sg500 (L2) would be 400U and 402 T.

Other interfaces for VoIP phones on vlan 401 would be configured to 401 T. This is if your phones expect traffic labeled, otherwise they would be configured to 401U.

For Vlan 402 other interfaces would still be 402U. PC only contacted untagged traffic

For 403 Vlan wireless uplink access point must be configured (400U, 401, 402, 403T)

It is perhaps more information than expected, but I hope that I have answered other questions you had.

Add the wireless access point IP address

Here's my situation...

We have a guest wireless internet at my hospital. This vlan wireless is only allowed to access internet and nothing else (Nothing on our internal network, essentially a wireless network with permission). I would like to have comments able to print on a particular printer on our network. Is this possible?

You can, but you must dig a hole through your firewall or allow traffic for this printer. Why not add a network printer which guest can use... in this way, you are compromising your network.

Access telephone IP SRP547W of line through Vlan VoIP Wifi No.

The SRP547W supported the creation of VLAN wireless voice and data.

Can I set a phone IP from Wifi to connect to the SRP547W voice Wifi Vlan and have the RPS to associate with line 1 (instead of a standard telephone connected to port FXO 1 line - without additional hardware)?

Hi Gary,.

Sorry, this is not possible. There are no AU SIP port FXO on the SRP540, just an internal mechanism to connect ports FXS internal for incoming and outgoing calls.

Kind regards

Andy

SF300-48 - I want to have two VLANS communicate

I want to segment our users our wireline users wireless and I bought this switch in the hope to be able to do.

How can I do this?

I've already put the mode switch to layer 3.

I created the second VIRTUAL LAN and assigned it and IP. How can I get the VLAN wireless talking to data VLAN?

Thank you!

Hi Scott,.

Your only sends me a part of the story, but we move forward another step and add a static route to the WAN router...

A network diagram, even done with paint would be fantastic to understand the topology of your network.

So no history full of how the network is set up, I have to work on assumptions.

PC in the 10.1.32.0 network used the WAN router as the default gateway. You put the default gateway address of VLAN1 and VLAN2, IP switches, according to which VLAN the PC is.

I would like to work on the assumption that the address IP of VLAN1 to the SF300 switch is 10.1.32.100

step 1. Put the PC in VLAN1 back if its default gateway is 10.1.32.1.

step 2. Add a static route that is appropriate in your WAN router so that it knows how to send traffic to VLAN2

It could be something like, and I'll cite the statement of the itinerary which must reside in your WAN router.

To get to 10.20.32.0 network with a mask of 255.255.255.0 Gateway 10.1.32.100 (IP address of vlan1 on the SF300.)

This should then hosts of PC in VLAN1 and the router to learn how to get traffic to VLAN2. the router will redirect traffic to the switch SF300 and he has a way to interface to VLAN2, so he certainly knows how to get to VLAN2 IP packets.

If the WAN router knows where VLAN2, go via the SF300 switch, then he might be able to the Internet of NAT traffic then this second VIRTUAL local network.

We are not finished here, more is yet to happen, such as the DNS and DHCP resolution for hosts in VLAN2 and possible NAT problems according to the capabilities of your WAN router.

Best regards, Dave

WLC management port is another trunk that vlan native

Hello

I installed my first WLC 5508 with this topology:

WLC connected trought distribution SFP 1 GB port to the port of switch configured as a Trunk port cut 3 Wireless VLAN:

-Management WLC, wireless and wireless voice data Vlan (Vlan native is WLAN Management).

-J' created 2 dynamic interface on WLC on my VLAN Wireless:

10.7.1.0/24: default management Virtual Interface installing WLC +.

10.7.6.0/24: Virtual Interface of voice and

10.7.2.0/24: Wireless Data Interface virtual trought GUI.

DHCP configured on each dynamic interface is the interface vlan L3 subent for SWITCH main technical IP DHCP Pool equal VLAN.

WLC management interface IP address is: 10.7.1.10/24

I create 2 WLAN SSID name with given ID 1, and ID2 voice.

I create and AP group named APGRP1 that contains the AP recorded about WLC and using the two WLAN SSID.

The two AP are connected to the switch acess port configured as native management WLC VLAN access port.

I have to create 3 IP DHCP pool on main switch with the related L3 Interfaces for Inter VLAN routing.

Problem: when I try to connect from mobile data SSID I get IP address of management WLC VLAN a VLAN data no.

the same case of Wireless IP Phone configured with voice SSID.

What I can likely that allows two devices to get the address IP of the correct VLAN?

Thnks

Hi Adil,

T1 > coelio AP on the switch must be configured on a mode of access to the port or trunk mode?

YEARS - the LWAPP / CAPWAP APs connected to the switchport should be an access port not trunk.

Q2 > if the first case, the configuration of the port, on the same VLAN as WLC management VLAN support Vlans other WLANS (voice and data)?

YEARS - Yes it supports, since traffic that involes the WLAN will be inside the tunnel of logic LWAPP/CAPWAP.

Q3 > I will check the interface between WLAN and dynamic Interfaces map and I'll tell you.

YEARS - I will wait for your answer!

Let me know if that answers your question...

Concerning
Surendra
====
Please do not forget to note positions that answered your question and mark as answer or was useful

Unique SSID to the autonomous access point

Hello

My question is that if I have one SSID on an autonomous access point while I use the vlan native too. I mean what's the best practice in this case, if the vlan wireless say 10.

Also I have to use the bvi-1 or I have to creat bvi another for this vlan?

Thank you

In my experience it's not a must to use native vlan.

No, you should use only one interface BVI.

Just like that:

Ter of conf
!
Dot11 ssid ABC
VLAN 10
Open authentication
Authentication-key wpa version2 management
WPA - psk ascii cisco123
Comments-mode
!
d0 IND
SSID ABC
encryption aes encryption vlan 10
!
D1 IND
SSID ABC
encryption aes encryption vlan 20
!
d0.10 IND
encapsulation dot1q 10
!
D1.10 IND
encapsulation dot1q 10
!
gig0.10 IND
encapsulation dot1q 10
!
int bvi1
IP address

Concerning

Remember messages useful rates

Can built-in DHCP of WLC provide IP addresses for the wired client?

Hello

We have a WLC running on 7.0.98.0. It provides IP addresses for users without comment thread. Now, we would like to put a couple of wired posts for customers who do not bring mobile no. I wonder if I put these workstations on the same vlan without comment thread, they can always get IPs of the WLC. If this isn't the case, I put the static IP on these workstations.

Thanks in advance.

Robert

Rob:
The answer is simply "no". WLC cannot provide clients wired on the same VLAN wireless whose IP address if DHCP is configured on WLC.

Fbarboza above metnioned is a 'very' special configuraiton on wireless LANs where the WLC is configured to support some wireline customers and he needs to have two WLCs (the show is called Wired comments). This particular case does not apply to your situation.

With your situation, my answer above apply.
```
Note 
A internal DHCP server pool will only serve the wireless clients of that controller, not clients of other controllers. Also, internal DHCP server can only serve wireless clients and not wired clients.
```
Reference: http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70wlan.html

HTH

Amjad

With an ASA 5520 port forwarding

Hi all

I recently bought a Cisco ASA 5520 on eBay for study and I decided to only use it as a firewall between my home LAN and Internet. Wow, what a learning curve! I managed to add my internal networks as objects and create a rule (thanks to youtube) NAT to PAT my internal devices out of the Internet with ASSISTANT Deputy Ministers, but I am really struggling to do the following:-

-allow all incoming traffic that hits the outside interface for port 38921 and nat at 10.1.10.101:38921

-allow all incoming traffic that hits the outside interface for port 30392 and nat at 10.1.10.101:30392

Can someone guide me on how to do it, because I have a couple of services that run behind these ports on a server I want to get when I'm not at home? My (rather messy) config is as follows:-

hostname FW1

activate the encrypted password

encrypted passwd

names of

!

interface GigabitEthernet0/0

Description * externally facing Internet *.

nameif outside

security-level 0

IP address dhcp setroute

!

interface GigabitEthernet0/1

Description * internal face to 3750 *.

nameif inside

security-level 100

IP 10.1.10.2 255.255.255.0

!

interface GigabitEthernet0/2

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

nameif management

security-level 100

IP 192.168.1.1 255.255.255.0

!

passive FTP mode

the VLAN1 object network

subnet 192.168.1.0 255.255.255.0

Legacy description

network of the WiredLAN object

10.1.10.0 subnet 255.255.255.0

Wired LAN description

network of the CorporateWifi object

10.1.160.0 subnet 255.255.255.0

Company Description 160 of VLAN wireless

network of the GuestWifi object

10.1.165.0 subnet 255.255.255.0

Description Wireless VLAN 165 comments

network of the LegacyLAN object

subnet 192.168.1.0 255.255.255.0

Description Legacy LAN in place until the change on

the file server object network

Home 10.1.10.101

Description File Server

service object Service1

tcp source eq eq 38921 38921 destination service

1 service Description

the All_Inside_Networks object-group network

network-object VLAN1

network-object, object WiredLAN

network-object, object CorporateWifi

network-object, object GuestWifi

network-object, object LegacyLAN

object-group service Service2 tcp - udp

port-object eq 30392

object-group service DM_INLINE_TCPUDP_1 tcp - udp

port-object eq 30392

Group-object Service2

object-group Protocol TCPUDP

object-protocol udp

object-tcp protocol

Outside_access_in list extended access allowed object-group TCPUDP any inactive FileServer object-group DM_INLINE_TCPUDP_1 object

Outside_access_in list extended access allowed object Service1 any inactive FileServer object

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

MTU 1500 internal

management of MTU 1500

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 714.bin

don't allow no asdm history

ARP timeout 14400

service interface NAT (inside, outside) dynamic source FileServer Service1 inactive Service1

NAT (all, outside) interface dynamic source All_Inside_Networks

Access-group Outside_access_in in interface outside

Internal route 10.1.160.0 255.255.255.0 10.1.10.1 1

Internal route 10.1.165.0 255.255.255.0 10.1.10.1 1

Internal route 192.168.1.0 255.255.255.0 10.1.10.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

Enable http server

http 10.1.160.15 255.255.255.255 internal

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Telnet 10.1.160.15 255.255.255.255 internal

Telnet timeout 5

SSH timeout 5

Console timeout 0

interface ID client DHCP-client to the outside

management of 192.168.1.2 - dhcpd address 192.168.1.254

enable dhcpd management

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

username privilege of encrypted password of Barry 15

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:19be38edefe8c3fd05e720aedee62c8e

: end

1. This is just one example of configuration and another option with to reason and avoid to send us the complete configuration of NAT:

network of the 10.1.10.101 object

Home 10.1.10.101

service object 38921

tcp source eq 38921 service

service object 30392

tcp source eq 30392 service

NAT (inside, outside) 1 static source 10.1.10.101 38921 38921 service interface

NAT (inside, outside) 1 static source 10.1.10.101 30392 30392 service interface

Let me know if it works

5508 WLC and associating 1242

I have a 5508 running 6.0.196.0 and have a few 1142 currently associated with him. I tried to get a 1242 to associate, but it won't.

My WLC recovering DHCP to a VLAN wireless (950) and the 1242 Gets an IP address to this VLAN, but does not associate or showup as an AP.

In addition, I have a console cable connected and attached the output of the trunk, but cannot get my settings to allow (via HyperTerminal) to get the CLI. I'm set to 9600, N, 8, 1 and I tried a few other settings.

Layer 1 - good

Layer 2 - good

Layer 3 - good

1142

1142

1142

1252

DHCP leases are superior and can ping one of these, but only to show that the three 1142 s in the controller.

A reflection as to why does not showup? How bout my hyperterm settings?

Thank you!

The you have probably the Frother activated in HyperTerminal, this is why the AP will not meet your entry. Make sure that the terminal emulation program has Frother off.

In regards to the 1252 only joined does not, the reason is because he runs an independent image of AP, not a picture LWAPP/CAPWAP. You can see if you look at the name of the image. This has k9w7 which is autonomous images. K9w8 are light images. You just need to convert this lightweight AP.

VPNS allow Transparent Tunneling

Hello

Im trying to connect to my work vpn using cisco vpn client. I found interesting this problem because I have recently finished my beginners CCENT exam in cisco and enter this world.

Anyway, here's what I know:

(1) when trying to connect to work it says "contact the security gateway x.x.x.x" and never ask me my user name and password.

(2) go to the coffee shop in the street, it works very well on their wireless. So I know this isn't a setting on my computer (believe me, this isn't a firewall setting for a specific network area DRH).

(3) when I tried the 'broken' network VPN and had no "Active Tunneling Transparent" active, it asks me my username and password and it shows its connected with the lock at the bottom of the start menu. However, I can't ping or anything on the remote network.

(4) the TCP tunnel at the 10 000 port is blocked with my work.

(5) IP SEC over UDP does not have human resources

(6) I am a network of schools and I think they have blocked something, I don't know, but I'm guessing's UDP...

Any possible workaround for this?

Thank you guys!

(1) when trying to connect to work it says "contact the security gateway x.x.x.x" and never ask me my user name and password.

kdalf,

It is possible and very common that some organizations do not allow for vpn ipsec ports or it Ipsec is allowed on a basis by user, this is just a possibility. Another possibility may be they do not IPsec vpn on their VLAN wireless, no more, or what you need to do is to contact the administrators of the net and ask them to ensure that the IPsec vpn ports are indeed allow or not, I guess that's not. If the request is out of your reach, you can also ask if someone else in the same region that you connect from have successfully connected to their work via IPsec.

(2) go to the coffee shop in the street, it works very well on their wireless. So I know this isn't a setting on my computer (believe me, this isn't a firewall setting for a specific network area DRH).

This explains my answer to question 1, the coffee to ipsec vpn ports, it's nice to attract more customers :)

(3) when I tried the 'broken' network VPN and had no "Active Tunneling Transparent" active, it asks me my username and password and it shows its connected with the lock at the bottom of the start menu. However, I can't ping or anything on the remote network.

This a prety relies a lot on the issue to question 1.

(4) the TCP tunnel at the 10 000 port is blocked with my work.

IPSec over TCP 10 000 port is usually implemented at the level of the vpn RA server, so if you choose in your IPsec client via tcp on port 10 000, you should be aware that the VPN of RA server must also be configured for this

(5) IP SEC over UDP does not have human resources

(6) I am a network of schools and I think they have blocked something, I don't know, but I'm guessing's UDP...

Q 5 and 6 same answer that question 1,

Workaround is much based on whether your school allows the ipsec ports, you must contact the network administrator before attempting to troubleshoot a software vpn client.

Rgds

Jorge

Router and VPN Client for Internet Public on a matter of stick

I try to follow the http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml to allow VPN clients to receive their internet connection instead of tunneling while split. Internal resources are available, but the internet does not work when a client is connected? It seems that the VPN clients are not translated.

!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 10
preshared authentication
ISAKMP crypto key address x.x.x.x No.-xauth KeyString
!
ISAKMP crypto group customer VPN-users configuration
KeyString key
DNS 208.67.222.222 208.67.220.220
domain domain.com
pool VPN_POOL
include-local-lan
netmask 255.255.255.0
Crypto isakmp IKE-PROFILE profile
game of identity VPN-users group
client authentication list default
Default ISAKMP authorization list
initiate client configuration address
client configuration address respond
virtual-model 1
!
!
Crypto ipsec transform-set ESP-SHA-3DES esp - aes 256 esp-sha-hmac
!
Profile of crypto ipsec IPSEC_PROFILE1
game of transformation-ESP-3DES-SHA
Isakmp IKE PROFILE set
!
!
crypto dynamic-map 10 DYNMAP
game of transformation-ESP-3DES-SHA
market arriere-route
!
!
map CLIENTMAP client to authenticate crypto list by default
map CLIENTMAP isakmp authorization list by default crypto
crypto map CLIENTMAP client configuration address respond
map CLIENTMAP 1 ipsec-isakmp crypto
defined peer x.x.x.x
game of transformation-ESP-3DES-SHA
PFS Group1 Set
match address 100
map CLIENTMAP 10-isakmp dynamic DYNMAP ipsec crypto
!
Archives
The config log
hidekeys
!
!
controller T1 2/0
framing sf
friend linecode
!
property intellectual ssh authentication-2 retries
!
!
!
!
interface Loopback0
IP 192.168.100.1 address 255.255.255.0
no ip unreachable
IP nat inside
IP virtual-reassembly
!
!
Null0 interface
no ip unreachable
!
interface FastEthernet0/0
Description $ETH - WAN$ $FW_OUTSIDE$
IP address dhcp customer_id FastEthernet0/0 hostname 3725router
IP access-group 104 to
no ip unreachable
NAT outside IP
inspect the SDM_LOW over IP
sdm_ips_rule IP IP addresses in
IP virtual-reassembly
route SDM_RMAP_1 card intellectual property policy
automatic duplex
automatic speed
map CLIENTMAP crypto
!
interface Serial0/0
Description $FW_OUTSIDE$
the IP 10.0.0.1 255.255.240.0
IP access-group 105 to
Check IP unicast reverse path
no ip unreachable
inspect the SDM_LOW over IP
IP virtual-reassembly
Shutdown
2000000 clock frequency
map CLIENTMAP crypto
!
interface FastEthernet0/1
no ip address
no ip unreachable
IP virtual-reassembly
automatic speed
full-duplex
!
interface FastEthernet0/1.2
Description $FW_INSIDE$
encapsulation dot1Q 2
172.16.2.1 IP address 255.255.255.0
IP access-group 101 in
no ip unreachable
IP nat inside
IP virtual-reassembly
enable IPv6
!
interface FastEthernet0/1.3
Description $FW_INSIDE$
encapsulation dot1Q 3
172.16.3.1 IP address 255.255.255.0
IP access-group 102 to
no ip unreachable
IP nat inside
IP virtual-reassembly
enable IPv6
!
interface FastEthernet0/1.10
Description Vlan wireless comments
encapsulation dot1Q 100
172.16.100.1 IP address 255.255.255.0
IP access-group out 110
no ip unreachable
IP nat inside
IP virtual-reassembly
!
interface FastEthernet0/1.50
Description $Phones$
encapsulation dot1Q 50
IP 172.16.50.1 255.255.255.0
IP virtual-reassembly
!
interface Serial0/1
no ip address
no ip unreachable
Shutdown
2000000 clock frequency
!
interface Serial0/2
no ip address
Shutdown
!
interface Serial0/3
no ip address
Shutdown
!
interface Serial1/0
no ip address
Shutdown
!
BRI2/0 interface
no ip address
IP virtual-reassembly
encapsulation hdlc
Shutdown
!
type of interface virtual-Template1 tunnel
Description $FW_INSIDE$
IP unnumbered Loopback0
IP access-group 103 to
no ip unreachable
IP virtual-reassembly
ipv4 ipsec tunnel mode
Tunnel IPSEC_PROFILE1 ipsec protection profile
!
local IP 192.168.0.100 VPN_POOL pool 192.168.0.105
IP forward-Protocol ND
IP route 172.16.200.0 255.255.255.252 172.16.2.3
!
!
IP http server
local IP http authentication
IP http secure server
IP http timeout policy inactive 600 life 86400 request 10000
translation of nat IP udp-timeout 900
IP nat inside source map route SDM_RMAP_1 interface FastEthernet0/0 overload
!
logging source hostname id
record 172.16.3.3
access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 100 permit ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
Remark SDM_ACL category of access list 101 = 17
access-list 101 permit ahp any host 172.16.2.1
access-list 101 permit esp any host 172.16.2.1
access-list 101 permit udp any host 172.16.2.1 eq isakmp
access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp
access-list 101 permit ip 172.31.12.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.0.15.255 no matter what newspaper
access-list 101 deny ip 192.168.0.0 0.0.0.255 any what newspaper
access-list 101 deny ip 172.16.3.0 0.0.0.255 any what newspaper
access-list 101 deny ip 255.255.255.255 host no matter what paper
access-list 101 deny ip 127.0.0.0 0.255.255.255 any what newspaper
access-list 101 tcp refuse any any newspaper of chargen Place1
access-list 101 tcp refuse any any eq whois newspaper
access-list 101 tcp refuse any any eq 93 newspaper
access-list 101 tcp refuse any any newspaper of the 135 139 range
access-list 101 tcp refuse any any eq 445 newspaper
access-list 101 tcp refuse any any newspaper exec 518 range
access-list 101 tcp refuse any any eq uucp log
access list 101 ip allow a whole
access-list 101 deny ip 172.16.100.0 0.0.0.255 any what newspaper
access-list 102 deny ip 172.16.2.0 0.0.0.255 any what newspaper
access-list 102 deny ip 10.0.0.0 0.0.15.255 no matter what newspaper
access-list 102 deny ip 192.168.0.0 0.0.0.255 any what newspaper
access-list 102 refuse host 255.255.255.255 ip no matter what paper
access-list 102 deny ip 127.0.0.0 0.255.255.255 any what newspaper
access ip-list 102 permit a whole
access-list 103 deny ip 172.16.2.0 0.0.0.255 any
access-list 103 deny ip 10.0.0.0 0.0.15.255 everything
access-list 103 deny ip 172.16.3.0 0.0.0.255 any
access-list 103 refuse host ip 255.255.255.255 everything
access-list 103 deny ip 127.0.0.0 0.255.255.255 everything
103 ip access list allow a whole
Note access-list 104 SDM_ACL category = 17
access-list 104 allow the host ip 192.168.0.100 everything
access-list 104 allow the host ip 192.168.0.101 everything
access-list 104 allow the host ip 192.168.0.102 everything
access-list 104 allow the host ip 192.168.0.103 everything
104 allow host 192.168.0.104 ip access-list all
access-list 104 allow the host ip 192.168.0.105 everything
access-list 104. allow ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 104 allow host ip 192.168.0.100 172.16.0.0 0.0.255.255
access-list 104 allow host 192.168.0.101 ip 172.16.0.0 0.0.255.255
access-list 104 allow host 192.168.0.102 ip 172.16.0.0 0.0.255.255
access-list 104 allow host ip 192.168.0.103 172.16.0.0 0.0.255.255
access-list 104 allow host 192.168.0.104 ip 172.16.0.0 0.0.255.255
access-list 104 allow host ip 192.168.0.105 172.16.0.0 0.0.255.255
access-list 104. allow ip 172.31.12.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 104 permit udp host 205.152.132.23 eq field all
access-list 104 permit udp host 205.152.144.23 eq field all
Access-list 104 remark Auto generated by SDM for NTP 129.6.15.29 (123)
access-list 104 permit udp host 129.6.15.29 eq ntp ntp any eq
access-list allow 104 of the ahp an entire
access-list 104 allow esp a whole
access-list allow 104 a 41
access-list 104 permit udp any any eq isakmp
access-list 104 permit udp any any eq non500-isakmp
access-list 104 deny ip 10.0.0.0 0.0.15.255 no matter what newspaper
access-list 104 deny ip 172.16.2.0 0.0.0.255 any what newspaper
access-list 104 deny ip 192.168.0.0 0.0.0.255 any what newspaper
access-list 104 deny ip 172.16.3.0 0.0.0.255 any what newspaper
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo response
access-list 104 permit icmp any one time exceed
access-list 104 allow all unreachable icmp
access-list 104 permit icmp any any echo
access-list 104 refuse icmp any any newspaper mask-request
access-list 104 refuse icmp any any redirect newspaper
access-list 104 deny ip 10.0.0.0 0.255.255.255 any what newspaper
access-list 104 deny ip 172.16.0.0 0.15.255.255 no matter what newspaper
access-list 104 deny ip 192.168.0.0 0.0.255.255 any what newspaper
access-list 104 deny ip 127.0.0.0 0.255.255.255 any what newspaper
104 refuse 224.0.0.0 ip access-list 15.255.255.255 no matter what newspaper
104 refuse host 255.255.255.255 ip access-list no matter what paper
access-list 104 tcp refuse any any newspaper of the range 6000-6063
access-list 104 tcp refuse any any eq newspaper 6667
access-list 104 tcp refuse any any 12345 12346 range journal
access-list 104 tcp refuse any any eq 31337 newspaper
access-list 104 deny udp any any eq 2049 newspaper
access-list 104 deny udp any any eq 31337 newspaper
access-list 104 deny udp any any 33400 34400 range journal
access-list 104 deny ip any any newspaper
Note access-list 105 SDM_ACL category = 17
access-list 105 allow the host ip 192.168.0.100 everything
access-list 105 allow the host ip 192.168.0.101 everything
access-list 105 allow the host ip 192.168.0.102 everything
access-list 105 allow the host ip 192.168.0.103 everything
access-list 105 192.168.0.104 ip host allow all
access-list 105 allow the host ip 192.168.0.105 everything
access-list 105 host ip 192.168.0.100 permit 172.16.0.0 0.0.255.255
access-list 105 host ip 192.168.0.101 permit 172.16.0.0 0.0.255.255
access-list 105 host ip 192.168.0.102 permit 172.16.0.0 0.0.255.255
access-list 105 host ip 192.168.0.103 permit 172.16.0.0 0.0.255.255
access-list 105 192.168.0.104 ip host permit 172.16.0.0 0.0.255.255
access-list 105 host ip 192.168.0.105 permit 172.16.0.0 0.0.255.255
access-list 105 allow ip 172.31.12.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 105 permit udp any host 10.0.0.1 eq non500-isakmp
access-list 105 permit udp any host 10.0.0.1 eq isakmp
access-list 105 allow esp any host 10.0.0.1
access-list 105 allow ahp any host 10.0.0.1
access-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq ntp
access-list 105 allow ahp 10.0.0.2 10.0.0.1 host
access-list 105 allow esp 10.0.0.2 10.0.0.1 host
access-list 105 permit udp host 10.0.0.2 10.0.0.1 host eq isakmp
access-list 105 permit udp host 10.0.0.2 10.0.0.1 host eq non500-isakmp
access-list 105 allow ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftp
access-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslog
access-list 105 deny ip 172.16.2.0 0.0.0.255 any
access-list 105 deny ip 192.168.0.0 0.0.0.255 any
access-list 105 deny ip 172.16.3.0 0.0.0.255 any
access-list 105 permit icmp any host 10.0.0.1 echo-reply
access-list 105 permit icmp any host 10.0.0.1 exceeded the time
access-list 105 permit icmp any host 10.0.0.1 inaccessible
access-list 105 deny ip 10.0.0.0 0.255.255.255 everything
access-list 105 deny ip 172.16.0.0 0.15.255.255 all
access-list 105 deny ip 192.168.0.0 0.0.255.255 everything
access-list 105 deny ip 127.0.0.0 0.255.255.255 everything
105 refuse host 255.255.255.255 ip access-list all
access-list 105 refuse host ip 0.0.0.0 everything
access-list 105 deny ip any any newspaper
access-list 110 deny ip 172.16.2.0 0.0.0.255 any
access-list 110 deny ip 172.16.3.0 0.0.0.255 any
access ip-list 110 permit a whole
access-list 115 permit ip 172.16.0.0 0.0.255.255 everything
access-list 115 permit ip 192.168.0.0 0.0.0.255 any
access-list 120 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
access-list 120 allow ip 172.16.0.0 0.0.255.255 everything
access-list 150 deny ip 172.16.0.0 0.0.255.255 host 192.168.0.100
access-list 150 deny ip 172.16.0.0 0.0.255.255 welcome 192.168.0.101
access-list 150 deny ip 172.16.0.0 0.0.255.255 welcome 192.168.0.102
access-list 150 deny ip 172.16.0.0 0.0.255.255 welcome 192.168.0.103
access-list 150 deny ip 172.16.0.0 0.0.255.255 welcome 192.168.0.104
access-list 150 deny ip 172.16.0.0 0.0.255.255 welcome 192.168.0.105
access-list 150 deny ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
access-list 150 permit ip 172.16.2.0 0.0.0.255 any
access-list 150 permit ip 172.16.3.0 0.0.0.255 any
access-list 150 permit ip 192.168.0.0 0.0.0.255 any
public RO SNMP-server community
IPv6 route: / 0 Tunnel0
!
!
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 150
set ip next-hop 192.168.100.2
!
SDM_RMAP_1 allowed 10 route map
corresponds to the IP 150
set ip next-hop 192.168.100.2

Based on my own tests in the laboratory, you can do this with and without a routing policy. You can configure the road of politics on the virtual template interface and direct traffic to the closure where ip nat inside is enabled, or you can simply configure ip nat inside on the interface of virtual model and remove the routing strategy.

crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2

ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0

ISAKMP crypto group customer VPN-users configuration
key cisco123
DNS 208.67.222.222 208.67.220.220
domain domain.com
pool VPN_POOL
include-local-lan
netmask 255.255.255.0
Crypto isakmp IKE-PROFILE profile
game of identity VPN-users group
client authentication list default
Default ISAKMP authorization list
initiate client configuration address
client configuration address respond
virtual-model 1

Crypto ipsec transform-set ESP-SHA-3DES esp - aes 256 esp-sha-hmac

Profile of crypto ipsec IPSEC_PROFILE1
game of transformation-ESP-3DES-SHA
Isakmp IKE PROFILE set

crypto dynamic-map 10 DYNMAP
game of transformation-ESP-3DES-SHA
market arriere-route
!
!
map CLIENTMAP 10-isakmp dynamic DYNMAP ipsec crypto

interface GigabitEthernet0/0
IP 1.1.1.1 255.255.255.0
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
media type rj45
map CLIENTMAP crypto

type of interface virtual-Template1 tunnel
IP unnumbered GigabitEthernet0/0
IP nat inside
IP virtual-reassembly
ipv4 ipsec tunnel mode
Tunnel IPSEC_PROFILE1 ipsec protection profile

local IP 192.168.0.100 VPN_POOL pool 192.168.0.105

overload of IP nat inside source list 150 interface GigabitEthernet0/0

access-list 150 deny ip 172.16.0.0 0.0.255.255 host 192.168.0.100
access-list 150 deny ip 172.16.0.0 0.0.255.255 welcome 192.168.0.101
access-list 150 deny ip 172.16.0.0 0.0.255.255 welcome 192.168.0.102
access-list 150 deny ip 172.16.0.0 0.0.255.255 welcome 192.168.0.103
access-list 150 deny ip 172.16.0.0 0.0.255.255 welcome 192.168.0.104
access-list 150 deny ip 172.16.0.0 0.0.255.255 welcome 192.168.0.105
access-list 150 deny ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
access-list 150 permit ip 172.16.2.0 0.0.0.255 any
access-list 150 permit ip 172.16.3.0 0.0.0.255 any
access-list 150 permit ip 192.168.0.0 0.0.0.255 any

***************************************************************************************

Inside global internal local outside global local outdoor Pro
ICMP 1.1.1.1:1 192.168.0.102:1 4.2.2.2:1 4.2.2.2:1

AP1131 - of-Authenticationing problem - problem users did not get the IP

Users connected to the AP1131G cannot get DHCP!

Hi all

I hope that we can find a solution for my problem.

I have access point AIR-AP1131G-E-K9 and connected to the switch 2960, under port configuration is:

interface F0/24

switchport mode access

switchport access vlan 63

switchport voice vlan 62

!

!

I configured on it two SSID, on for users and the other for the voice that is hidden.

The SSID security user.

but the voice SSID has no security restrictions.

(The main problem is any user to connect to AP1131G, he or she cannot get the IP via DHCP, but voice can get DHCP and connected normally)

-Configuring AP-

Admin-AP1 #sh run

Building configuration...

Current configuration: 2462 bytes

!

version 12.4

no service button

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

!

hostname Admin-AP1

!

enable secret 5 iL05 $1$ $ CMki6n7Twwea0QLL58oCg0

!

No aaa new-model

!

resources policy

!

IP subnet zero

!

!

!

SSID dot11 HW-Admin-AP1

VLAN 63

open authentication

Comments-mode

MBSSID-guest mode

!

dot11 ssid voip

VLAN 62

open authentication

!

diet pre-standard trading online

!

!

123A0C041104 Cisco 7 password username

!

Bridge IRB

!

!

interface Dot11Radio0

no ip address

no ip route cache

!

VLAN 63 key 1 size 40 bit 7 589074CFA6CD transmit encryption keys

encryption vlan 63 compulsory wep mode

!

VLAN 62 key 1 size 40 bit 7 76B3B1F212E9 transmit encryption keys

encryption vlan 62 mandatory wep mode

!

SSID HW-Admin-AP1

!

SSID voip

!

MBSSID

root of station-role

Bridge-Group 1

Bridge-Group 1 block-unknown-source

No source of bridge-Group 1-learning

unicast bridge-Group 1-floods

Bridge-Group 1 covering-disabled people

!

interface Dot11Radio0.62

encapsulation dot1Q 62

no ip route cache

no link-status of snmp trap

Bridge-group 62

Bridge-group subscriber-loop-control 62

Bridge-group 62 block-unknown-source

No source of bridge-group 62-learning

No bridge group 62 unicast-flooding

Bridge-group 62 covering people with reduced mobility

!

interface Dot11Radio0.63

encapsulation dot1Q 63

no ip route cache

no link-status of snmp trap

Bridge-group 63

Bridge-group subscriber-loop-control 63

Bridge-group 63 block-unknown-source

No source of bridge-group 63-learning

No bridge group 63 unicast-flooding

Bridge-group 63 covering people with reduced mobility

!

interface FastEthernet0

no ip address

no ip route cache

automatic duplex

automatic speed

Bridge-Group 1

No source of bridge-Group 1-learning

Bridge-Group 1 covering-disabled people

!

interface FastEthernet0.62

encapsulation dot1Q 62

no ip route cache

no link-status of snmp trap

Bridge-group 62

No source of bridge-group 62-learning

!

interface FastEthernet0.63

encapsulation dot1Q 63

no ip route cache

no link-status of snmp trap

Bridge-group 63

No source of bridge-group 63-learning

!

interface BVI1

IP 172.18.63.2 255.255.255.0

no ip route cache

!

default IP gateway - 172.18.63.1

IP http server

no ip http secure server

IP http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

1 channel ip bridge

!

!

!

Line con 0

password 7 1101180B1632595C557A

line vty 0 4

password 7 09444F07182545425A5C

Synchronous recording

opening of session

!

end

-----------------------------------------------------

I would like to know what is the problem for my setup? If there is a problem?

I need to know why he doesn't connect as voice phones works normally and get IP via DHCP addresses.

I would like to mention here that the source DHCP for the two vlan is same source (Core) and here it is the configuration in this topic.

DHCP excluded-address IP 172.18.63.1 172.18.63.50

!

H-VLAN-wireless dhcp IP pool

network 172.18.63.0 255.255.255.0

DNS-server 172.18.11.16 172.18.11.18

domain hw.net

router by default - 172.18.63.1

!

pool IP dhcp H-VLAN-Users

network 172.18.61.0 255.255.255.0

router by default - 172.18.61.10

DNS-server 172.18.11.16 172.18.11.18

domain hw.net

-172.18.11.18 NetBIOS name server

!

!

----------------------------------------------------------

If anyone can help me how to troublehsoot this problem and how to determine the problem.

Hello

Change the Switchport Trunk conifig...

On the SWITCH

============

int fa 0/24

switchport trunk dot1Q encap

switchport mode trunk

switchiport trunk vlan native 63

No tap

end

Access point

=========

conf t

interface Dot11Radio0.63

63 native encapsulation dot1Q

Bridge-Group 1

end

conf t

int fa 0.63

dotQ native 63 encap

Bridge-Group 1

end

That will do it for you! Let me know if this answers your question!

Please do not forget to note the useful messages!

VLAN WIRELESS

Similar Questions

Maybe you are looking for